| id: GO-2022-0534 |
| modules: |
| - module: github.com/runatlantis/atlantis |
| versions: |
| - fixed: 0.19.7 |
| vulnerable_at: 0.19.6 |
| packages: |
| - package: github.com/runatlantis/atlantis/server/controllers/events |
| symbols: |
| - DefaultGitlabRequestParserValidator.ParseAndValidate |
| summary: Timing attack in github.com/runatlantis/atlantis |
| description: |- |
| Validation of Gitlab requests can leak secrets. |
| |
| The package github.com/runatlantis/atlantis/server/controllers/events uses a |
| non-constant time comparison for secrets while validating a Gitlab request. This |
| allows for a timing attack where an attacker can recover a secret and then forge |
| the request. |
| published: 2022-08-11T20:54:51Z |
| cves: |
| - CVE-2022-24912 |
| ghsas: |
| - GHSA-jxqv-jcvh-7gr4 |
| credits: |
| - cedws |
| references: |
| - fix: https://github.com/runatlantis/atlantis/pull/2392 |
| - fix: https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820 |
| - web: https://github.com/runatlantis/atlantis/issues/2391 |
| - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851 |
| review_status: REVIEWED |